b'OFFICE OF INSPECTOR GENERAL\n                     Audit Report\nFiscal Year 2011 Evaluation of Information Security\n         at the Railroad Retirement Board\n\n\n\n        This abstract summarizes the results of the subject audit. The\n        full report includes information protected from disclosure and\n        has been designated for limited distribution pursuant to\n        5 U.S.C. \xc2\xa7 552\n\n\n\n\n                         Report No. 12-02\n                         January 05, 2012\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                 REPORT ABSTRACT\n                 Fiscal Year 2011 Evaluation of Information Security\n                          at the Railroad Retirement Board\n\nThe Office of Inspector General for the Railroad Retirement Board (RRB) conducted an\nevaluation of information security at the RRB for fiscal year (FY) 2011, which is\nmandated by the Federal Information Security Management Act of 2002 (FISMA). The\nobjectives of our evaluation included testing the effectiveness of the information security\npolicies, procedures, and practices of a representative subset of the agency\xe2\x80\x99s\ninformation systems; and a report on selected elements of the agency\xe2\x80\x99s information\nsecurity program to be prepared in compliance with Office of Management and Budget\xe2\x80\x99s\nFY 2011 FISMA reporting instructions.\n\nIn a separately issued Restricted Distribution report, we communicated that the RRB\ncontinues to make progress in implementing an information security program that meets\nthe requirements of FISMA; yet a fully effective security program has not been\nachieved. The significant deficiency in the internal control structure over the review of\ncontractor deliverables, associated with the risk management framework, remains\nunresolved. Additionally, we are citing the RRB with a significant deficiency in its\nsecurity configuration management program. We also noted some lesser deficiencies\nin the RRB\xe2\x80\x99s security program. In total, we made 13 detailed recommendations to RRB\nmanagement related to:\n\n    \xef\x82\xb7   developing and implementing a comprehensive risk management governance\n        strategy that builds information security capabilities into federal information\n        systems, maintains awareness of the systems\xe2\x80\x99 security state, and provides\n        essential information to facilitate decisions;\n    \xef\x82\xb7   obtaining the necessary funding and resources to decommission unsupported\n        equipment;\n    \xef\x82\xb7   providing additional security awareness training to employees;\n    \xef\x82\xb7   improving data collection methods, and performing a quality assurance review of\n        security incidents and data reported internally and externally;\n    \xef\x82\xb7   implementing and performing a quarterly quality assurance review for the\n        preparation and processing of system access re-authorizations; and\n    \xef\x82\xb7   formally reviewing and publishing the agency\xe2\x80\x99s Capital Planning and Investment\n        Control Guide.\n\n    RRB management has agreed to take corrective actions for all recommendations.\n\n\n\n\n                                             1\n\xc2\xa0\n\x0c'